Trust can be defined as a feeling of security, assurance and integrity that instils confidence in the future. This feeling, vital to all types of relationships, becomes especially important in a setting where the people involved are neither physically together nor even in the same country.
This issue of trust, which has no legal definition, demands positive action from all stakeholders: governments, organisations and users. It continues to be the cornerstone of risk governance in both Europe and Canada, and more specifically in Quebec.
In response to this need for trust, and following the example of the GDPR, Quebec lawmakers have modernised the legal framework that applies to personal data protection. Key elements of the new framework include accountability and transparency, along with strengthened rights for individuals. It also increases fines for non-compliance.
Quebec’s modernisation began in September 2022, will continue in September 2023 and will be completed in September 2024. It is expected to be rolled out to other Canadian provinces and at federal level over the coming months.
Data protection compliance on both sides of the Atlantic is therefore based on the principle of accountability: without a framework for the roles played by parties involved in data management, there is no accountability, and consequently no trust.
Trust and its limits
Another aspect that goes hand in hand with trust and accountability is transparency of use. Trust must not be blind. It needs a measure of objectivity so that people who place their trust in something keep a critical eye that allows them to withdraw their trust at any time. Trust is not a given. It can turn into distrust or mistrust.
This transparency takes the form of positive action right from the design stage of a product or service, by integrating the fundamental principles of data protection (lawful and limited data collection with an explicit purpose) and the use of privacy impact assessments.
Other measures include writing and publishing a privacy policy and making it available to website users (with effective means of redress), introducing policies, procedures and directives governing the life cycle of personal data, and setting up mandates or service agreements defining the rights and obligations of all parties involved, particularly with regard to measures for managing security (or privacy) incidents involving personal data.
The documentation underpinning this governance (the concept of accountability), the appointment of a data protection officer – a function only recently added to legislation applicable to companies in Quebec, though it has long been a requirement for public bodies – and the implementation of verification, audit and accountability processes at every stage of the rollout of a service or product, with constant adaptation to needs, uses and changes in the cybersecurity threat landscape, are also trust indicators that are essential to managing an organisation’s reputation.
Artificial intelligence, generally speaking, and innovation must take place within the virtuous cycle of trust. The challenge of creating value, a key business driver, hinges, as ever, on staying focused on the triad of regulatory compliance, accountability and transparency. This builds trust while strengthening reputation.
Aligning Quebec’s legislation, in both the public and private sectors, with the fundamental principles of the GDPR undeniably provides a competitive advantage. It gives businesses the ability to compete in the most demanding international markets. Trust is therefore both a challenge and a business opportunity for companies.
![[NANO Corp] Fanch Francis: “To build a European champion, you have to look for customers and investors in Europe from the outset.”](https://incyber.org/wp-content/uploads/2023/07/Fanch-Francis-1-480x300.png)
